20160802 웹 방화벽

 

 

 

웹 방화벽(WAF, Web Application Firewall)

 

 

 

 

 

(1) 웹방화벽이란? (Application Proxy 역할)

 

웹클라이언트 -------> 방화벽 -----> IPS(침입차단시스템) ----> WAF(웹방화벽) ---> 웹서버

(웹브라우저) (iptables) (snort + prevent) (modsecurity) (linux200)

 

 

 

 

 

 

(2) 무료 웹 방화벽

 

최근 홈페이지를 통한 악성코드 유포, 피싱 사이트로 악용 등 웹 해킹의 피해가 심각한 수준에 이르고 있다. 한국정보보호진흥원은 신규 보안투자 여력이 없는 중소기업의 웹 보안 강화를 위해 기본적인 웹 해킹을 차단할 수 있는 공개웹방화벽 2종을 추천하고 있다.

 

 

■ WebKnight

 

AQTRONIX 사에서 개발한 IIS 웹서버용 공개 웹방화벽으로 SQL Injection 공격 등 IIS 웹서버의 주용 공격 차단 기능을 가지고 있다.

홈페이지: http://www.aqtronic.com/?PageID=99

 

 

 

■ ModSecurity

 

Ivan Ristic이 개발한 Apache 웹서버용 공개 웹방화벽으로 PHP Injection 공격등 Apache 웹서버의 주요 공격을 차단하는 기능을 가지고 있다.

홈페이지: http://www.modsecurity.org

 

 

 

■ 자세한 사항은 다음을 참고한다.

■ 공개용 웹방화벽

http://www.krcert.or.kr/download/webFirewall.do

 

(ㄱ) http://www.krcert.or.kr > 상단의 '다운로드' > '공개 웹 방화벽'

(ㄴ) 자료실 > "modsecurity" 검색 > 관련 파일 다운로드

 

■ 웹 취약점 점검

http://www.krcert.or.kr/webprotect/webVulnerability.do

 

(ㄷ) http://www.krcert.or.kr > 상단의 '다운로드' > '웹 취약점 점검'

 

 

 

 

 

(3) 웹방화벽 구축 사례

 

 

 

 

 

 

 

 

 

 

 

 

(4) 웹 취약점 무료 점검 서비스

 

■ http://www.krcert.or.kr/webprotect/webVulnerability.do

 

 

 

 

(5) 실습은 인터넷을 통해 검색하여 문서를 작성한다.(시간: 30분 정도)

-> http://www.youtube.com

검색 키워드: "modsecurity"

검색 키워드: "modsecurity tutorial"

검색 키워드: "modsecurity centos"

검색 키워드: "modsecurity configuration"

검색 키워드: "modsecurity setup"

 

 

 

 

 

[실습] WAF 설치 및 테스트

 

사용시스템

linux200 (WAF + WEB Server)

KaliLinux(Attacker)

 

 

(linux200) 192.168.20.200

 

---- linux200 --- ---- linux200 ----

 

---> WAF(Web Application Firewall) <----> Apache Web Server

modsecurity

 

 

① modsecurity 다운로드

http://www.modsecurity.org

-> 오른쪽 상단의 "Get Code" 하단에 "Source/Binary" 선택

 

 

② Community Repository 구성

http://www.modsecurity.org/download.html

-> 오른쪽 상단의 "Commnuity Repostory" 부분에서 "RHEL/CentOS Yum Repository (Jason Litka)" 선택

 

Yum Repository <--------- # yum -y install <PKG>

/etc/yum.repos.d/*.repo

 

# cd /etc/pki/rpm-gpg

# rpm --import http://yum.jasonlitka.com/RPM-GPG-KEY-jlitka

#

 

# vi /etc/yum.repos.d/utterramblings.repo

[utterramblings] name=Jason's Utter Ramblings Repo baseurl=http://yum.jasonlitka.com/EL$releasever/$basearch/ enabled=1 gpgcheck=1 gpgkey=http://yum.jasonlitka.com/RPM-GPG-KEY-jlitka

 

[참고] 파일에 대한 해석

[utterramblings]

name=Jason's Utter Ramblings Repo

baseurl=http://yum.jasonlitka.com/EL$releasever/$basearch/

enabled=1 /* enable : 1, disable : 0 */

gpgcheck=1 /* check : 1, uncheck : 0 */

gpgkey=http://yum.jasonlitka.com/RPM-GPG-KEY-jlitka

 

 

③ mod_security/httpd/httpd-devel 패키지 설치

 

(주의) 반드시 스냅샷을 생성한다.

(주의) 웹 데몬 종료 (# service httpd stop; # chkconfig httpd off)

 

# yum -y install mod_security

-> 약간 시간이 걸린다.

 

(32 bits OS) # yum -y install httpd httpd-devel

(64 bits OS) # yum -y install httpd.x86_64 httpd-devel.x86_64 httpd-manual.x86_64

Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: mirror.premi.st * extras: mirror.premi.st * rpmforge: ftp.riken.jp * updates: data.nicehosting.co.kr Setting up Install Process Resolving Dependencies --> Running transaction check --> Processing Dependency: httpd = 2.2.3-87.el5.centos for package: httpd-manual --> Processing Dependency: httpd = 2.2.3-87.el5.centos for package: mod_ssl ---> Package httpd.i386 0:2.2.22-jason.1 set to be updated --> Processing Dependency: apr-util-ldap for package: httpd ---> Package httpd-devel.i386 0:2.2.22-jason.1 set to be updated --> Processing Dependency: apr-util-devel for package: httpd-devel --> Processing Dependency: apr-devel for package: httpd-devel --> Running transaction check ---> Package apr-devel.i386 0:1.4.5-1.jason.1 set to be updated --> Processing Dependency: apr = 1.4.5-1.jason.1 for package: apr-devel ---> Package apr-util-devel.i386 0:1.3.12-1.jason.1 set to be updated --> Processing Dependency: apr-util = 1.3.12-1.jason.1 for package: apr-util-devel --> Processing Dependency: openldap-devel for package: apr-util-devel --> Processing Dependency: expat-devel for package: apr-util-devel --> Processing Dependency: db4-devel for package: apr-util-devel ---> Package apr-util-ldap.i386 0:1.3.12-1.jason.1 set to be updated ---> Package httpd-manual.i386 0:2.2.22-jason.1 set to be updated ---> Package mod_ssl.i386 1:2.2.22-jason.1 set to be updated --> Running transaction check ---> Package apr.i386 0:1.4.5-1.jason.1 set to be updated ---> Package apr-util.i386 0:1.3.12-1.jason.1 set to be updated ---> Package db4-devel.i386 0:4.3.29-10.el5_5.2 set to be updated ---> Package expat-devel.i386 0:1.95.8-11.el5_8 set to be updated ---> Package openldap-devel.i386 0:2.3.43-28.el5_10 set to be updated --> Processing Dependency: cyrus-sasl-devel >= 2.1 for package: openldap-devel --> Running transaction check ---> Package cyrus-sasl-devel.i386 0:2.1.22-7.el5_8.1 set to be updated --> Finished Dependency Resolution   Dependencies Resolved   ==================================================================================================================== Package Arch Version Repository Size ==================================================================================================================== Installing: httpd-devel i386 2.2.22-jason.1 utterramblings 151 k Updating: httpd i386 2.2.22-jason.1 utterramblings 3.0 M Installing for dependencies: apr-devel i386 1.4.5-1.jason.1 utterramblings 181 k apr-util-devel i386 1.3.12-1.jason.1 utterramblings 70 k apr-util-ldap i386 1.3.12-1.jason.1 utterramblings 19 k cyrus-sasl-devel i386 2.1.22-7.el5_8.1 base 1.4 M db4-devel i386 4.3.29-10.el5_5.2 base 1.9 M expat-devel i386 1.95.8-11.el5_8 base 132 k openldap-devel i386 2.3.43-28.el5_10 updates 2.9 M Updating for dependencies: apr i386 1.4.5-1.jason.1 utterramblings 258 k apr-util i386 1.3.12-1.jason.1 utterramblings 196 k httpd-manual i386 2.2.22-jason.1 utterramblings 989 k mod_ssl i386 1:2.2.22-jason.1 utterramblings 324 k   Transaction Summary ============================================================================================================================= Install 8 Package(s) Upgrade 5 Package(s)   Total download size: 11 M Downloading Packages: (1/13): apr-util-ldap-1.3.12-1.jason.1.i386.rpm | 19 kB 00:00 (2/13): apr-util-devel-1.3.12-1.jason.1.i386.rpm | 70 kB 00:01 (3/13): expat-devel-1.95.8-11.el5_8.i386.rpm | 132 kB 00:00 (4/13): httpd-devel-2.2.22-jason.1.i386.rpm | 151 kB 00:01 (5/13): apr-devel-1.4.5-1.jason.1.i386.rpm | 181 kB 00:02 (6/13): apr-util-1.3.12-1.jason.1.i386.rpm | 196 kB 00:01 (7/13): apr-1.4.5-1.jason.1.i386.rpm | 258 kB 00:02 (8/13): mod_ssl-2.2.22-jason.1.i386.rpm | 324 kB 00:04 (9/13): httpd-manual-2.2.22-jason.1.i386.rpm | 989 kB 00:11 (10/13): cyrus-sasl-devel-2.1.22-7.el5_8.1.i386.rpm | 1.4 MB 00:00 (11/13): db4-devel-4.3.29-10.el5_5.2.i386.rpm | 1.9 MB 00:00 (12/13): openldap-devel-2.3.43-28.el5_10.i386.rpm | 2.9 MB 00:01 (13/13): httpd-2.2.22-jason.1.i386.rpm | 3.0 MB 00:39 ----------------------------------------------------------------------------------------------------------------------------- Total 172 kB/s | 11 MB 01:08 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : apr 1/18 Updating : apr-util 2/18 Installing : apr-util-ldap 3/18 Updating : httpd 4/18 warning: /etc/httpd/conf/httpd.conf created as /etc/httpd/conf/httpd.conf.rpmnew Installing : cyrus-sasl-devel 5/18 Installing : apr-devel 6/18 Installing : openldap-devel 7/18 Installing : db4-devel 8/18 Installing : expat-devel 9/18 Installing : apr-util-devel 10/18 Updating : mod_ssl 11/18 Installing : httpd-devel 12/18 Updating : httpd-manual 13/18 Cleanup : mod_ssl 14/18 Cleanup : httpd 15/18 Cleanup : apr-util 16/18 Cleanup : httpd-manual 17/18 Cleanup : apr 18/18   Installed: httpd-devel.i386 0:2.2.22-jason.1   Dependency Installed: apr-devel.i386 0:1.4.5-1.jason.1 apr-util-devel.i386 0:1.3.12-1.jason.1 apr-util-ldap.i386 0:1.3.12-1.jason.1 cyrus-sasl-devel.i386 0:2.1.22-7.el5_8.1 db4-devel.i386 0:4.3.29-10.el5_5.2 expat-devel.i386 0:1.95.8-11.el5_8 openldap-devel.i386 0:2.3.43-28.el5_10   Updated: httpd.i386 0:2.2.22-jason.1   Dependency Updated: apr.i386 0:1.4.5-1.jason.1 apr-util.i386 0:1.3.12-1.jason.1 httpd-manual.i386 0:2.2.22-jason.1 mod_ssl.i386 1:2.2.22-jason.1   Complete!

 

 

 

# yum -y install pcre pcre-devel

Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: mirror.premi.st * extras: mirror.premi.st * rpmforge: ftp.riken.jp * updates: data.nicehosting.co.kr Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package pcre.i386 0:8.13-1.jason.2 set to be updated ---> Package pcre-devel.i386 0:8.13-1.jason.2 set to be updated --> Finished Dependency Resolution   Dependencies Resolved   =================================================================================== Package Arch Version Repository Size =================================================================================== Updating: pcre i386 8.13-1.jason.2 utterramblings 509 k pcre-devel i386 8.13-1.jason.2 utterramblings 438 k   Transaction Summary =================================================================================== Install 0 Package(s) Upgrade 2 Package(s)   Total download size: 946 k Downloading Packages: (1/2): pcre-devel-8.13-1.jason.2.i386.rpm | 438 kB 00:02 (2/2): pcre-8.13-1.jason.2.i386.rpm | 509 kB 00:01 ----------------------------------------------------------------------------------- Total 202 kB/s | 946 kB 00:04 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : pcre 1/4 Updating : pcre-devel 2/4 Cleanup : pcre 3/4 Cleanup : pcre-devel 4/4   Updated: pcre.i386 0:8.13-1.jason.2 pcre-devel.i386 0:8.13-1.jason.2   Complete!

 

 

 

④ mod_security 패키지 설치 확인

# rpm -qa | grep mod_security

mod_security-2.5.9-1.jason.1

 

# rpm -ql mod_security

/etc/httpd/conf.d/mod_security.conf /etc/httpd/modsecurity.d /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf /etc/httpd/modsecurity.d/modsecurity_crs_20_protocol_violations.conf /etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf /etc/httpd/modsecurity.d/modsecurity_crs_23_request_limits.conf /etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf /etc/httpd/modsecurity.d/modsecurity_crs_35_bad_robots.conf /etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf /etc/httpd/modsecurity.d/modsecurity_crs_45_trojans.conf /etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf /etc/httpd/modsecurity.d/modsecurity_localrules.conf /etc/httpd/modsecurity.d/optional_rules /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_20_protocol_violations.conf /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_21_protocol_anomalies.conf /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_40_generic_attacks.conf /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_42_comment_spam.conf /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_42_tight_security.conf /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_55_marketing.conf /etc/mlogc.conf /usr/bin/mlogc /usr/lib/httpd/modules/mod_security2.so /usr/share/doc/mod_security-2.5.9 /usr/share/doc/mod_security-2.5.9/CHANGES /usr/share/doc/mod_security-2.5.9/LICENSE /usr/share/doc/mod_security-2.5.9/MODSECURITY_LICENSING_EXCEPTION /usr/share/doc/mod_security-2.5.9/README.TXT /usr/share/doc/mod_security-2.5.9/doc /usr/share/doc/mod_security-2.5.9/doc/apache_request_cycle-modsecurity.jpg /usr/share/doc/mod_security-2.5.9/doc/breach-logo-small.gif /usr/share/doc/mod_security-2.5.9/doc/html-multipage /usr/share/doc/mod_security-2.5.9/doc/html-multipage/actions.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/apache_request_cycle-modsecurity.jpg /usr/share/doc/mod_security-2.5.9/doc/html-multipage/ar01s02.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/ar01s10.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/ar01s11.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/ar01s12.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/breach-logo-small.gif /usr/share/doc/mod_security-2.5.9/doc/html-multipage/configuration-directives.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/index.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/installation.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/introduction.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/modsecurity-reference.css /usr/share/doc/mod_security-2.5.9/doc/html-multipage/modsecurity.gif /usr/share/doc/mod_security-2.5.9/doc/html-multipage/operators.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/processing-phases.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/transformation-functions.html /usr/share/doc/mod_security-2.5.9/doc/html-multipage/variables.html /usr/share/doc/mod_security-2.5.9/doc/index.html /usr/share/doc/mod_security-2.5.9/doc/migration-matrix.html /usr/share/doc/mod_security-2.5.9/doc/migration-matrix.xml /usr/share/doc/mod_security-2.5.9/doc/modsecurity-reference.css /usr/share/doc/mod_security-2.5.9/doc/modsecurity.gif /usr/share/doc/mod_security-2.5.9/doc/modsecurity2-apache-reference.html /usr/share/doc/mod_security-2.5.9/doc/modsecurity2-apache-reference.pdf /usr/share/doc/mod_security-2.5.9/doc/modsecurity2-apache-reference.xml /usr/share/doc/mod_security-2.5.9/doc/modsecurity2-data-formats.html /usr/share/doc/mod_security-2.5.9/doc/modsecurity2-data-formats.pdf /usr/share/doc/mod_security-2.5.9/doc/modsecurity2-data-formats.xml /usr/share/doc/mod_security-2.5.9/modsecurity.conf-minimal

 

 

 

⑤ 룰(rules) 파일 다운로드(OWASP CRS(Core Rules Set))

 

http://www.modsecurity.org/

-> 오른쪽 상단의 "Get Rules" 하단의 "Free/Commercial" 부분을 선택

-> 왼쪽 하단의 "OWASP Project Site" 아이콘 선택

-> 오른쪽 상단의 "Quick Download" 하단의 "Latest CRS (ZIP)" 부분을 선택

 

 

 

 

 

 

[참고] 아파치 설치 디렉토리

아파치 패키지 설치 : /etc/httpd/conf

아파치 소스 설치 : /usr/local/apache2/conf

 

 

 

# cd /etc/httpd/conf

# wget https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master -O master.zip

--2014-09-23 09:04:05-- https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master Resolving github.com... 192.30.252.130 Connecting to github.com|192.30.252.130|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://codeload.github.com/SpiderLabs/owasp-modsecurity-crs/legacy.zip/master [following] --2014-09-23 09:04:06-- https://codeload.github.com/SpiderLabs/owasp-modsecurity-crs/legacy.zip/master Resolving codeload.github.com... 192.30.252.144 Connecting to codeload.github.com|192.30.252.144|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 343684 (336K) [application/zip] Saving to: `master.zip'   100%[===================================================================================>] 343,684 227K/s in 1.5s   2014-09-23 09:04:08 (227 KB/s) - `master.zip' saved [343684/343684]

 

# ls

httpd.conf httpd.conf.rpmnew magic master.zip

 

[참고] 파일의 확장자

A.tar.gz -> # tar xvzf A.tar.gz

A.tar.bz2 -> # tar xvjf A.tar.bz2

A.zip -> # unzip A.zip

A.jar -> # jar xvf A.jar

A.gz -> # gunzip A.gz

A.bz2 -> # bunzip2 A.bz2

A.Z -> # uncompress A.Z

 

# unzip master.zip

-> 출력 내용 생략

 

# ls

httpd.conf httpd.conf.rpmnew magic master.zip SpiderLabs-owasp-modsecurity-crs-ebe8790/

 

# mv SpiderLabs-owasp-modsecurity-crs-ebe8790 crs

# ls

crs/ httpd.conf httpd.conf.rpmnew magic master.zip

 

# cd crs

# ls

activated_rules/ INSTALL optional_rules/ base_rules/ LICENSE README.md CHANGES lua/ slr_rules/ experimental_rules/ modsecurity_crs_10_setup.conf.example util/

 

 

# cat INSTALL

Core Rule Set Quick Setup =========================   To activate the rules for your web server installation:   1) Copy the modsecurity_crs_10_setup.conf.example file to modsecurity_crs_10_setup.conf and customize the settings for your local environment.   The modsecurity_crs_10_setup.conf file includes management rules and directives that can control important CRS functions. Pay attention to the SecRuleEngine setting (On by default) and that the SecDefaultAction directive is set to "pass". The 49 inbound blocking and 59 outbound blocking rules files use the "block" action which inherits this setting. This effectively means that you can toggle the SecDefaultAction setting to decide if you would like to deny on an anomaly scoring/correlation match.   Update the PARANOID_MODE variable setting if you want to become more aggressive in your detection. Caution - this will cause more false positives.   Update the appropriate anomaly scoring levels that will be propagated to the inbound/outbound blocking files.   Update the TX policy settings for allowed Request Methods, File Extensions, etc...   2) Enable the CRS rules files you want to use by creating symlinks under the "activated_rules" directory location. You will want to create symlinks for the following:   1) The main modsecurity_crs_10_setup.conf file 2) Any rules from the base_rules directory 3) Any remaining rules from the optional_rules, slr_rules or experimental_rules directories   $ pwd /usr/local/apache/conf/crs $ ls CHANGELOG app_sensor modsecurity_crs_10_setup.conf slr_rules LICENSE base_rules modsecurity_crs_10_setup.conf.example util README experimental_rules modsecurity_crs_15_customrules.conf activated_rules lua optional_rules $ sudo ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_setup.conf activated_rules/modsecurity_crs_10_setup.conf $ for f in `ls base_rules/` ; do sudo ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done $ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done $ ls -l activated_rules total 216 lrwxr-xr-x 1 root wheel 52 May 17 14:01 GsbMalware.dat -> /usr/local/apache/conf/crs/base_rules/GsbMalware.dat lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_setup.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_setup.conf lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf   3) Add the following line to your httpd.conf (assuming you've placed the rule files into conf/crs/):   <IfModule security2_module> Include conf/crs/modsecurity_crs_10_setup.conf Include conf/crs/activated_rules/*.conf </IfModule>   3) Restart web server.   4) Make sure your web sites are still running fine.   5) Simulate an attack against the web server. Then check the attack was correctly logged in the Apache error log, ModSecurity debug log (if you enabled it) and ModSecurity audit log (if you enabled it).

 

# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

#

 

# ln -s /etc/httpd/conf/crs/modsecurity_crs_10_setup.conf activated_rules/modsecurity_crs_10_setup.conf

 

# for FILE in `ls base_rules/`

do

ln -s /etc/httpd/conf/crs/base_rules/$FILE activated_rules/$FILE

done

 

# for FILE in `ls optional_rules/ | grep comment_spam`

do

ln -s /etc/httpd/conf/crs/optional_rules/$f activated_rules/$FILE

done

 

 

 

# ls -l activated_rules

total 84K lrwxrwxrwx 1 root root 61 Sep 23 09:36 modsecurity_35_bad_robots.data -> /etc/httpd/conf/crs/base_rules/modsecurity_35_bad_robots.data lrwxrwxrwx 1 root root 59 Sep 23 09:36 modsecurity_35_scanners.data -> /etc/httpd/conf/crs/base_rules/modsecurity_35_scanners.data lrwxrwxrwx 1 root root 66 Sep 23 09:36 modsecurity_40_generic_attacks.data -> /etc/httpd/conf/crs/base_rules/modsecurity_40_generic_attacks.data lrwxrwxrwx 1 root root 35 Sep 23 09:37 modsecurity_42_comment_spam.data -> /etc/httpd/conf/crs/optional_rules// lrwxrwxrwx 1 root root 59 Sep 23 09:36 modsecurity_50_outbound.data -> /etc/httpd/conf/crs/base_rules/modsecurity_50_outbound.data lrwxrwxrwx 1 root root 67 Sep 23 09:36 modsecurity_50_outbound_malware.data -> /etc/httpd/conf/crs/base_rules/modsecurity_50_outbound_malware.data lrwxrwxrwx 1 root root 49 Sep 23 09:22 modsecurity_crs_10_setup.conf -> /etc/httpd/conf/crs/modsecurity_crs_10_setup.conf lrwxrwxrwx 1 root root 74 Sep 23 09:36 modsecurity_crs_20_protocol_violations.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf lrwxrwxrwx 1 root root 73 Sep 23 09:36 modsecurity_crs_21_protocol_anomalies.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf lrwxrwxrwx 1 root root 69 Sep 23 09:36 modsecurity_crs_23_request_limits.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf lrwxrwxrwx 1 root root 66 Sep 23 09:36 modsecurity_crs_30_http_policy.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf lrwxrwxrwx 1 root root 65 Sep 23 09:36 modsecurity_crs_35_bad_robots.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf lrwxrwxrwx 1 root root 70 Sep 23 09:36 modsecurity_crs_40_generic_attacks.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf lrwxrwxrwx 1 root root 76 Sep 23 09:36 modsecurity_crs_41_sql_injection_attacks.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf lrwxrwxrwx 1 root root 66 Sep 23 09:36 modsecurity_crs_41_xss_attacks.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf lrwxrwxrwx 1 root root 35 Sep 23 09:37 modsecurity_crs_42_comment_spam.conf -> /etc/httpd/conf/crs/optional_rules// lrwxrwxrwx 1 root root 69 Sep 23 09:36 modsecurity_crs_42_tight_security.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf lrwxrwxrwx 1 root root 62 Sep 23 09:36 modsecurity_crs_45_trojans.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_45_trojans.conf lrwxrwxrwx 1 root root 72 Sep 23 09:36 modsecurity_crs_47_common_exceptions.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf lrwxrwxrwx 1 root root 79 Sep 23 09:36 modsecurity_crs_48_local_exceptions.conf.example -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example lrwxrwxrwx 1 root root 71 Sep 23 09:36 modsecurity_crs_49_inbound_blocking.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf lrwxrwxrwx 1 root root 63 Sep 23 09:36 modsecurity_crs_50_outbound.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_50_outbound.conf lrwxrwxrwx 1 root root 72 Sep 23 09:36 modsecurity_crs_59_outbound_blocking.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf lrwxrwxrwx 1 root root 66 Sep 23 09:36 modsecurity_crs_60_correlation.conf -> /etc/httpd/conf/crs/base_rules/modsecurity_crs_60_correlation.conf -rw-r--r-- 1 root root 5.6K Apr 17 07:24 README

 

# cat /etc/httpd/conf/httpd.conf

..... (중략) ..... 207 # 208 # Load config files from the config directory "/etc/httpd/conf.d". 209 # 210 Include conf.d/*.conf ..... (중략) .....

 

# cat /etc/httpd/conf.d/mod_security.conf

# Example configuration file for the mod_security Apache module   LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so   <IfModule mod_security2.c> # This is the ModSecurity Core Rules Set.   # Basic configuration goes in here Include modsecurity.d/modsecurity_crs_10_config.conf   # Protocol violation and anomalies.   Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf   # HTTP policy rules   Include modsecurity.d/modsecurity_crs_30_http_policy.conf   # Here comes the Bad Stuff...   Include modsecurity.d/modsecurity_crs_35_bad_robots.conf Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf Include modsecurity.d/modsecurity_crs_45_trojans.conf Include modsecurity.d/modsecurity_crs_50_outbound.conf   # Search engines and other crawlers. Only useful if you want to track # Google / Yahoo et. al.   # Include modsecurity.d/modsecurity_crs_55_marketing.conf   # Put your local rules in here.   Include modsecurity.d/modsecurity_localrules.conf </IfModule>

 

 

 

# service httpd restart

Stopping httpd: [FAILED] Starting httpd: [ OK ]

 

# pgrep -lf httpd

16819 /usr/sbin/httpd 16822 /usr/sbin/httpd 16823 /usr/sbin/httpd 16824 /usr/sbin/httpd 16825 /usr/sbin/httpd 16826 /usr/sbin/httpd 16827 /usr/sbin/httpd 16828 /usr/sbin/httpd 16829 /usr/sbin/httpd

 

# cd /etc/httpd

# ls -l

drwxr-xr-x 3 root root 4.0K Sep 23 11:03 conf/ drwxr-xr-x 2 root root 4.0K Sep 23 11:08 conf.d/ lrwxrwxrwx 1 root root 19 Sep 22 22:30 logs -> ../../var/log/httpd/ drwxr-xr-x 3 root root 4.0K Sep 22 22:28 modsecurity.d/ lrwxrwxrwx 1 root root 27 Sep 22 22:30 modules -> ../../usr/lib/httpd/modules/ lrwxrwxrwx 1 root root 13 Sep 22 22:30 run -> ../../var/run/

 

 

[참고] 로그 기록에 대한 구조

 

----> ModSecurity(WAF) ----> Apache(WEB Server)

modsec_audit.log access_log

error_log

 

 

# cd logs (# cd /var/log/httpd)

# ls

access_log error_log.2 ssl_access_log.1 ssl_error_log.3 access_log.1 error_log.3 ssl_access_log.2 ssl_error_log.4 access_log.2 error_log.4 ssl_access_log.3 ssl_request_log access_log.3 modsec_audit.log ssl_error_log ssl_request_log.1 error_log modsec_debug.log ssl_error_log.1 ssl_request_log.2 error_log.1 ssl_access_log ssl_error_log.2 ssl_request_log.3

 

 

[TERM1] # tail -0f access_log

[TERM2] # tail -0f error_log

[TERM3] # tail -0f modsec_audit.log

[TERM4] # tail -0f modsec_debug.log

 

 

 

 

 

 

웹 공격을 하기 위한 툴로 fimap을 사용한다.

 

(KaliLinux)

 

(주의) 2016년도 06월01일 현재 fimap 프로그램의 plugins 설치가 되지 않음

따라서, 실습을 진행할 때 paros(in kalilinux) 툴을 사용하였다.

 

파이맵(fimap) 툴

웹 애플리케이션에 로컬 또는 원격 파일 삽입(LFI and RFI) 버그를 자동으로 찾고 검사하고 공격하는 파이썬으로 만들어 툴

 

# fimap --install-plugins

fimap v.09 (For the Swarm) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim (fimap.dev@gmail.com)   Requesting list of plugins... ################################################################################################################## #LIST OF TRUSTED PLUGINS # ################################################################################################################## #[1] Weevils injector by Darren "Infodox" Martyn <infodox@insecurety.net> - At version 2 not installed. # #[2] AES HTTP reverse shell by Darren "Infodox" Martyn <infodox@insecurety.net> - At version 1 not installed. # #[q] Cancel and Quit. # ################################################################################################################## Choose a plugin to install: 1 Downloading plugin 'weevils' (http://85.214.72.67/fimap_plugins/weevils-0.2.tar.gz)... Unpacking plugin... Plugin 'Upload Weevely' installed successfully!

설치할 수 있는 plugins 두가지가 있다. 두가지 플러그인을 모두 설치하기 위해서는 두번 명령어를 수행하여 하나씩 설치하여야 한다.

 

# fimap --install-plugins

fimap v.09 (For the Swarm) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim (fimap.dev@gmail.com)   Requesting list of plugins... ################################################################################################################## #LIST OF TRUSTED PLUGINS # ################################################################################################################## #[1] Weevils injector by Darren "Infodox" Martyn <infodox@insecurety.net> - At version 2 has an UPDATE. # #[2] AES HTTP reverse shell by Darren "Infodox" Martyn <infodox@insecurety.net> - At version 1 not installed. # #[q] Cancel and Quit. # ################################################################################################################## Choose a plugin to install: 2 Downloading plugin 'aeshttp' (http://85.214.72.67/fimap_plugins/aeshttp-0.1.tar.gz)... Unpacking plugin... Plugin 'AES HTTP Reverse Shell Injector' installed successfully!

 

# fimap --help

fimap v.09 (For the Swarm) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim (fimap.dev@gmail.com)   Usage: ./fimap.py [options] ## Operating Modes: -s , --single Mode to scan a single URL for FI errors. Needs URL (-u). This mode is the default. -m , --mass Mode for mass scanning. Will check every URL from a given list (-l) for FI errors. -g , --google Mode to use Google to aquire URLs. Needs a query (-q) as google search query. -H , --harvest Mode to harvest a URL recursivly for new URLs. Needs a root url (-u) to start crawling there. Also needs (-w) to write a URL list for mass mode. -4 , --autoawesome With the AutoAwesome mode fimap will fetch all forms and headers found on the site you defined and tries to find file inclusion bugs thru them. Needs an URL (-u). ## Techniques: -b , --enable-blind Enables blind FI-Bug testing when no error messages are printed. Note that this mode will cause lots of requests compared to the default method. Can be used with -s, -m or -g. -D , --dot-truncation Enables dot truncation technique to get rid of the suffix if the default mode (nullbyte poison) failed. This mode can cause tons of requests depending how you configure it. By default this mode only tests windows servers. Can be used with -s, -m or -g. Experimental. -M , --multiply-term=X Multiply terminal symbols like '.' and '/' in the path by X. ## Variables: -u , --url=URL The URL you want to test. Needed in single mode (-s). -l , --list=LIST The URL-LIST you want to test. Needed in mass mode (-m). -q , --query=QUERY The Google Search QUERY. Example: 'inurl:include.php' Needed in Google Mode (-g) --skip-pages=X Skip the first X pages from the Googlescanner. -p , --pages=COUNT Define the COUNT of pages to search (-g). Default is 10. --results=COUNT The count of results the Googlescanner should get per page. Possible values: 10, 25, 50 or 100(default). --googlesleep=TIME The time in seconds the Googlescanner should wait befor each request to google. fimap will count the time between two requests and will sleep if it's needed to reach your cooldown. Default is 5. -w , --write=LIST The LIST which will be written if you have choosen harvest mode (-H). This file will be opened in APPEND mode. -d , --depth=CRAWLDEPTH The CRAWLDEPTH (recurse level) you want to crawl your target site in harvest mode (-H). Default is 1. -P , --post=POSTDATA The POSTDATA you want to send. All variables inside will also be scanned for file inclusion bugs. --cookie=COOKIES Define the cookie which should be send with each request. Also the cookies will be scanned for file inclusion bugs. Concatenate multiple cookies with the ';' character. --ttl=SECONDS Define the TTL (in seconds) for requests. Default is 30 seconds. --no-auto-detect Use this switch if you don't want to let fimap automaticly detect the target language in blind-mode. In that case you will get some options you can choose if fimap isn't sure which lang it is. --bmin=BLIND_MIN Define here the minimum count of directories fimap should walk thru in blind mode. The default number is defined in the generic.xml --bmax=BLIND_MAX Define here the maximum count of directories fimap should walk thru. --dot-trunc-min=700 The count of dots to begin with in dot-truncation mode. --dot-trunc-max=2000 The count of dots to end with in dot-truncation mode. --dot-trunc-step=50 The step size for each round in dot-truncation mode. --dot-trunc-ratio=0.095 The maximum ratio to detect if dot truncation was successfull. --dot-trunc-also-unix Use this if dot-truncation should also be tested on unix servers. --force-os=OS Forces fimap to test only files for the OS. OS can be 'unix' or 'windows' ## Attack Kit: -x , --exploit Starts an interactive session where you can select a target and do some action. -T , --tab-complete Enables TAB-Completation in exploit mode. Needs readline module. Use this if you want to be able to tab-complete thru remote files\dirs. Eats an extra request for every 'cd' command. ## Disguise Kit: -A , --user-agent=UA The User-Agent which should be sent. --http-proxy=PROXY Setup your proxy with this option. But read this facts: * The googlescanner will ignore the proxy to get the URLs, but the pentest\attack itself will go thru proxy. * PROXY should be in format like this: 127.0.0.1:8080 * It's experimental --show-my-ip Shows your internet IP, current country and user-agent. Useful if you want to test your vpn\proxy config. ## Plugins: --plugins List all loaded plugins and quit after that. -I , --install-plugins Shows some official exploit-mode plugins you can install and\or upgrade. ## Other: --update-def Checks and updates your definition files found in the config directory. --test-rfi A quick test to see if you have configured RFI nicely. --merge-xml=XMLFILE Use this if you have another fimap XMLFILE you want to include to your own fimap_result.xml. -C , --enable-color Enables a colorful output. Works only in linux! --force-run Ignore the instance check and just run fimap even if a lockfile exists. WARNING: This may erase your fimap_results.xml file! -v , --verbose=LEVEL Verbose level you want to receive. LEVEL=3 -> Debug LEVEL=2 -> Info(Default) LEVEL=1 -> Messages LEVEL=0 -> High-Level --credits Shows some credits. --greetings Some greetings ;) -h , --help Shows this cruft. ## Examples: 1. Scan a single URL for FI errors: ./fimap.py -u 'http://localhost/test.php?file=bang&id=23' 2. Scan a list of URLS for FI errors: ./fimap.py -m -l '/tmp/urllist.txt' 3. Scan Google search results for FI errors: ./fimap.py -g -q 'inurl:include.php' 4. Harvest all links of a webpage with recurse level of 3 and write the URLs to /tmp/urllist ./fimap.py -H -u 'http://localhost' -d 3 -w /tmp/urllist

 

 

 

 

# fimap -u 'http://192.168.20.200/test.php?file=bang&id=23'

fimap v.09 (For the Swarm) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim (fimap.dev@gmail.com)   SingleScan is testing URL: 'http://192.168.20.200/test.php?file=bang&id=23' [08:37:31] [OUT] Inspecting URL 'http://192.168.20.200/test.php?file=bang&id=23'... [08:37:31] [INFO] Fiddling around with URL... [08:37:31] [WARN] HTTP Error 400: Bad Request [08:37:31] [WARN] HTTP Error 400: Bad Request Target URL isn't affected by any file inclusion bug :(

-> 파이맵은 파일 삽입 취약점이 있는지 검색한다.

-> 웹서버(웹방화벽)에서 로그를 확인한다.(출력 결과가 늦게 나올수 있다.)

-> fimap 명령어에 --force-run 옵션을 줄수도 있다.

# fimap --force-run -u "http://192.168.20.200/?p=2475"

 

 

wireshark을 통해 공격 패킷을 분석한다.

 

 

(linux200) Web Application Firewall

[TERM1] # tail -0f access_log

192.168.20.50 - - [12/Dec/2014:17:31:30 +0900] "GET /test.php?file=bang&id=LOmISkC5 HTTP/1.1" 400 302 "-" "fimap.googlecode.com/v09 (For the Swarm)" 192.168.20.50 - - [12/Dec/2014:17:31:30 +0900] "GET /test.php?file=W9YWiyO6&id=23 HTTP/1.1" 400 302 "-" "fimap.googlecode.com/v09 (For the Swarm)"

 

[TERM2] # tail -0f err_log

[Fri Dec 12 17:24:23 2014] [notice] caught SIGTERM, shutting down [Fri Dec 12 17:24:23 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Dec 12 17:24:24 2014] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full. [Fri Dec 12 17:24:24 2014] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured. [Fri Dec 12 17:24:24 2014] [notice] Original server signature: Apache/2.2.22 (EL) [Fri Dec 12 17:24:24 2014] [notice] Digest: generating secret for digest authentication ... [Fri Dec 12 17:24:24 2014] [notice] Digest: done [Fri Dec 12 17:24:25 2014] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Dec 12 17:24:25 2014] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full. [Fri Dec 12 17:24:25 2014] [notice] Apache/2.2.22 (Unix) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 Apache/2.2.0 (Fedora) mod_perl/2.0.4 Perl/v5.8.8 configured -- resuming normal operations [Fri Dec 12 17:26:41 2014] [notice] caught SIGTERM, shutting down [Fri Dec 12 17:26:59 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Dec 12 17:27:00 2014] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full. [Fri Dec 12 17:27:00 2014] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured. [Fri Dec 12 17:27:00 2014] [notice] Original server signature: Apache/2.2.22 (EL) [Fri Dec 12 17:27:00 2014] [notice] Digest: generating secret for digest authentication ... [Fri Dec 12 17:27:00 2014] [notice] Digest: done [Fri Dec 12 17:27:01 2014] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Dec 12 17:27:01 2014] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full. [Fri Dec 12 17:27:01 2014] [notice] Apache/2.2.22 (Unix) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 Apache/2.2.0 (Fedora) mod_perl/2.0.4 Perl/v5.8.8 configured -- resuming normal operations [Fri Dec 12 17:31:30 2014] [error] [client 192.168.20.50] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "192.168.20.200"] [uri "/test.php"] [unique_id "VIqn4sCoFMgAAB6IH7EAAAAA"] [Fri Dec 12 17:31:30 2014] [error] [client 192.168.20.50] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "192.168.20.200"] [uri "/test.php"] [unique_id "VIqn4sCoFMgAAB6JIAYAAAAB"]

 

 

 

[TERM3] # tail -0f modsec_audit.log

--d309977a-A-- [12/Dec/2014:17:31:30 +0900] VIqn4sCoFMgAAB6IH7EAAAAA 192.168.20.50 54678 192.168.20.200 80 --d309977a-B-- GET /test.php?file=bang&id=LOmISkC5 HTTP/1.1 Accept-Encoding: identity Host: 192.168.20.200 Accept-Language: en-us,en;q=0.5 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: fimap.googlecode.com/v09 (For the Swarm)   --d309977a-F-- HTTP/1.1 400 Bad Request Content-Length: 302 Connection: close Content-Type: text/html; charset=iso-8859-1   --d309977a-H-- Message: Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1418373090833289 6370 (5782 6076 -) Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/1.6.1. Server: Apache/2.2.22 (EL)   --d309977a-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4" SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d\\.]+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Host header is a numeric IP address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST" SecRule "RESPONSE_STATUS" "@rx ^400$" "phase:5,t:none,chain,log,auditlog,pass,msg:'Invalid request',id:960913,severity:2"   --d309977a-Z--   --d309977a-A-- [12/Dec/2014:17:31:30 +0900] VIqn4sCoFMgAAB6JIAYAAAAB 192.168.20.50 54679 192.168.20.200 80 --d309977a-B-- GET /test.php?file=W9YWiyO6&id=23 HTTP/1.1 Accept-Encoding: identity Host: 192.168.20.200 Accept-Language: en-us,en;q=0.5 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: fimap.googlecode.com/v09 (For the Swarm)   --d309977a-F-- HTTP/1.1 400 Bad Request Content-Length: 302 Connection: close Content-Type: text/html; charset=iso-8859-1   --d309977a-H-- Message: Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] Action: Intercepted (phase 2) Apache-Handler: php5-script Stopwatch: 1418373090841735 612 (287 463 -) Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/1.6.1. Server: Apache/2.2.22 (EL)   --d309977a-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4" SecRule "REQUEST_HEADERS:Host" "@rx ^[\\d\\.]+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Host header is a numeric IP address',severity:2,id:960017,tag:PROTOCOL_VIOLATION/IP_HOST" SecRule "RESPONSE_STATUS" "@rx ^400$" "phase:5,t:none,chain,log,auditlog,pass,msg:'Invalid request',id:960913,severity:2"   --d309977a-Z--

 

 

 

[TERM4] # tail -0f modsec_debug.log

[12/Dec/2014:17:31:30 +0900] [192.168.20.200/sid#94ef4f8][rid#9a6e5e0][/test.php][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [12/Dec/2014:17:31:30 +0900] [192.168.20.200/sid#94ef4f8][rid#9a6e5e0][/test.php][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]

 

 

 

(원복) 실습이 끝나다면 다음과 같은 작업을 한다.

yum repository 지정 복원(별도로 생성된 *.repo 파일이 존재한다면)# cd /etc/yum.repos.d # vi utterramblings.repo (enabled=0)# vi hello.repo (enabled=0)

WAF 설정 파일 복원# cd /etc/httpd/conf.d # mv /etc/httpd/conf.d/mod_security.conf /etc/httpd

 

 

 

[과제] 여러가지 툴을 통해 웹 공격을 수행하고 웹방화벽에서 정상적으로 필터링되는지 확인(시간: 1시간 정도)

- 유튜브 동영상을 통해 확인한다.

- (EX) OWASP ZAP - OWASP 10대 취약점을 점검하는 취약점 스캐너

 

 

 

ModSecurity.hwp

TR-2008-003_ModSecurity_guide.pdf